MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2abfd77fcd81e97c70c03c519fa23de09967971887eb5d73e118bc87b2a7e230. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Mirai


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash: 2abfd77fcd81e97c70c03c519fa23de09967971887eb5d73e118bc87b2a7e230
SHA3-384 hash: a95cb393e87463f583ddc1d3d94b461e478d8f5880ede71ae4dd20bd1040a131b7468c8032cbf2b7e264fe2f81d05aac
SHA1 hash: ab15dc61666981f4700e66ab0e65c4eba553ef00
MD5 hash: cb6226375ef6fa28cc10004c1a6e2c6b
humanhash: two-eleven-diet-angel
File name:arm7
Download: download sample
Signature Mirai
File size:83'844 bytes
First seen:2026-05-09 12:49:56 UTC
Last seen:Never
File type: elf
MIME type:application/x-executable
ssdeep 1536:a6SL2DPCaOMK9Qy8jhn4eVVFDHNgOMwA/QJGhIVaTp8JrMEb5dXfqefqgqe+YIqV:4CbCauQy8jh4eVuOvuhI68NXfqefqgqF
TLSH T10783E856FD45DA93C6DC24B5FC5F52CA3342A398D3EF352BEC154620128E2AE0E3AE54
telfhash t14ee0d87d0b47169e6bd0c344d74b2419abdc3078071037bcde412b571e931a4724e91a
TrID 50.1% (.) ELF Executable and Linkable format (Linux) (4022/12)
49.8% (.O) ELF Executable and Linkable format (generic) (4000/1)
Magika elf
Reporter abuse_ch
Tags:elf mirai

Intelligence


File Origin
# of uploads :
1
# of downloads :
61
Origin country :
DE DE
Vendor Threat Intelligence
No detections
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sends data to a server
Collects information on the network activity
Collects information on the CPU
Collects information on the RAM
Opens a port
Runs as daemon
Connection attempt
Receives data from a server
Substitutes an application name
Deleting of the original file
Verdict:
Unknown
Threat level:
  0/10
Confidence:
100%
Tags:
expand lolbin mirai
Verdict:
Malicious
Uses P2P?:
false
Uses anti-vm?:
false
Architecture:
arm
Packer:
not packed
Botnet:
unknown
Number of open files:
0
Number of processes launched:
0
Processes remaning?
false
Remote TCP ports scanned:
not identified
Behaviour
no suspicious findings
Botnet C2s
TCP botnet C2(s):
not identified
UDP botnet C2(s):
not identified
Status:
terminated
Behavior Graph:
%3 guuid=7eebe2cc-1a00-0000-2015-b4b3050d0000 pid=3333 /usr/bin/sudo guuid=f4f6d2ce-1a00-0000-2015-b4b30d0d0000 pid=3341 /tmp/sample.bin guuid=7eebe2cc-1a00-0000-2015-b4b3050d0000 pid=3333->guuid=f4f6d2ce-1a00-0000-2015-b4b30d0d0000 pid=3341 execve
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
52 / 100
Signature
Multi AV Scanner detection for submitted file
Sample deletes itself
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1911066 Sample: arm7.elf Startdate: 09/05/2026 Architecture: LINUX Score: 52 26 169.254.169.254, 80 USDOSUS Reserved 2->26 28 192.109.200.228, 443, 49622 TELECOMASET-ASBG Bulgaria 2->28 30 3 other IPs or domains 2->30 32 Multi AV Scanner detection for submitted file 2->32 9 arm7.elf 2->9         started        11 python3.8 dpkg 2->11         started        signatures3 process4 process5 13 arm7.elf 9->13         started        process6 15 arm7.elf 13->15         started        signatures7 34 Sample deletes itself 15->34 18 arm7.elf 15->18         started        20 arm7.elf 15->20         started        22 arm7.elf 15->22         started        24 2 other processes 15->24 process8
Threat name:
Linux.Worm.Mirai
Status:
Malicious
First seen:
2026-05-09 12:50:54 UTC
File Type:
ELF32 Little (Exe)
AV detection:
4 of 24 (16.67%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
antivm discovery
Behaviour
Reads runtime system information
Reads system network configuration
Changes its process name
Checks CPU configuration
Enumerates active TCP sockets
Enumerates running processes
Deletes itself
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:linux_generic_ipv6_catcher
Author:@_lubiedo
Description:ELF samples using IPv6 addresses
Rule name:TH_Generic_MassHunt_Linux_Malware_2026_CYFARE
Author:CYFARE
Description:Generic Linux malware mass-hunt rule - 2026
Reference:https://cyfare.net/
Rule name:unixredflags3
Author:Tim Brown @timb_machine
Description:Hunts for UNIX red flags

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Mirai

elf 2abfd77fcd81e97c70c03c519fa23de09967971887eb5d73e118bc87b2a7e230

(this sample)

  
Delivery method
Distributed via web download

Comments